Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Information Commissioner Office. Show all posts
UK
Data Breach data security Employee Data Fines ICO Information Commissioner Office Information Security Ireland UK

PSNI Faces £750,000 Fine for Major Data Breach

 

The Police Service of Northern Ireland (PSNI) is set to receive a £750,000 fine from the UK Information Commissioner’s Office (ICO) due to a severe data breach that compromised the personal information of over 9,000 officers and staff. This incident, described as "industrial scale" by former Chief Constable Simon Byrne, included the accidental online release of surnames, initials, ranks, and roles of all PSNI personnel in response to a Freedom of Information request. 

This breach, which occurred last August, has been deemed highly sensitive, particularly for individuals in intelligence or covert operations. It has led to significant repercussions, including Chief Constable Byrne's resignation. Many affected individuals reported profound impacts on their lives, with some forced to relocate or sever family connections due to safety concerns. The ICO's investigation highlighted serious inadequacies in the PSNI's internal procedures and approval processes for information disclosure. 

John Edwards, the UK Information Commissioner, emphasized that the breach created a "perfect storm of risk and harm" due to the sensitive context of Northern Ireland. He noted that many affected individuals had to "completely alter their daily routines because of the tangible fear of threat to life." Edwards criticized the PSNI for not having simple and practical data security measures in place, which could have prevented this "potentially life-threatening incident." He stressed the need for all organizations to review and improve their data protection protocols to avoid similar breaches. 

The ICO's provisional fine of £750,000 reflects a public sector approach, intended to prevent the diversion of public funds from essential services while still addressing serious violations. Without this approach, the fine would have been £5.6 million. In response to the breach, the PSNI and the Northern Ireland Policing Board commissioned an independent review led by Pete O’Doherty of the City of London Police. The review made 37 recommendations for enhancing information security within the PSNI, underscoring the need for a comprehensive overhaul of data protection practices. 

Deputy Chief Constable Chris Todd acknowledged the fine and the findings, expressing regret over the financial implications given the PSNI's existing budget constraints. He confirmed that the PSNI would implement the recommended changes and engage with the ICO regarding the final fine amount. The Police Federation for Northern Ireland (PFNI), representing rank-and-file officers, criticized the severe data security failings highlighted by the ICO. 

PFNI chair Liam Kelly called for stringent measures to ensure such an error never recurs, emphasizing the need for robust data defenses and rigorous protocols. This incident serves as a stark reminder of the critical importance of data security, particularly within sensitive sectors like law enforcement. The PSNI's experience underscores the potentially severe consequences of inadequate data protection measures and the urgent need for organizations to prioritize cybersecurity to safeguard personal information.
Read more »
Information Commissioner Office
Data Breach Digital Disaster Electoral Commission Information Commissioner Office

Digital Disaster: Electoral Commission Data Breach Leaves 40 Million UK Voters Exposed

 


In the wake of the revelation that a hostile cyber-attack between February and May of last year was able to access the data of 40 million voters without being detected, along with the lack of notification to the public for about ten months, public confidence in the UK's electoral regulator has been sorely tested. 

It is estimated that the personal information of approximately 40 million U.K. voters has been vulnerable for over a year – as a result of the Electoral Commission falling victim to a complex cyberattack. It has been reported that in October 2022, the Electoral Commission noticed suspicious activity on its network and confirmed that it had detected it. 

The Electoral Commission is responsible for supervising elections in the country. Unidentified "hostile actors," however, gained access to the company's systems over a year earlier, in August 2021, and it was later revealed that the company had been compromised by such actors. 

There have been reports to the Information Commissioner's Office (ICO) as well as the National Crime Agency that the attack was detected within 72 hours after it was reported to them. An intrusion allowed unauthorized access to the servers of the Commission, which house email, control systems, and copies of the electoral registers that the Commission maintains for research purposes, having enabled the intrusion to become successful. It is currently unknown who the intruders are and where they came from.

However, the Commission did tell the BBC and The Guardian that it delayed this disclosure by another 10 months to prevent the adversary from getting access to the network, investigate the extent of the breach, and enforce security safeguards. It is not clear why the disclosure was delayed by another 10 months. 

As noted in the report, the Commission noted that the data that can be accessed is also able to be combined with information that is publicly accessible to "infer patterns of behaviour or to identify and profile individuals and groups of individuals." 

Furthermore, it said that the attack had no impact on the electoral process or the electoral registration status of any voters and that there is little risk to people in terms of their details held on the email servers of the company, except that they contain any sensitive information. 

Among the names and addresses included in the registers were those of a person residing in the United Kingdom, who will be eligible to vote between 2014 and 2022, as well as the names of those who plan to cast their ballots from outside of the United Kingdom. 

Nevertheless, they did not contain any information regarding those who qualified for anonymous registration as well as addresses for overseas electors who were registered outside of England and Wales. An attack was discovered by the Information Commissioner's Office (ICO) and the National Crime Agency within 72 hours of being discovered last October.

As a result, the ICO immediately reported the incident to both entities. Despite this, it was only recently disclosed to the public that millions of voters' data may have been if not all, accessible through the election registers over the last several years. 

There is no conclusive way that the Electoral Commission can determine what information had been accessed. The attackers are unknown to have been associated with a hostile state, such as Russia, or with a cyber gang that offers a criminal nature. 

The Electoral Commission has said that the records of most of these people would have been publicly accessible anyhow because they were on the open register, to begin with. However, a Sky News analysis reveals that about 28 million people missed out on the open registration system that year, as a result of their own decisions. 
Read more »
Subscribe to: Posts (Atom)